Skip to content

[New Rule] Clearing Windows Security Logs #529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Jan 12, 2021
Merged

[New Rule] Clearing Windows Security Logs #529

merged 20 commits into from
Jan 12, 2021

Conversation

janniten
Copy link
Contributor

@janniten janniten commented Nov 12, 2020
edited by threat-punter
Loading

Issues

Resolves #500

Summary

Detecting if security logs were cleared is not only important in order to detect hacker's malicious activity but also when you are under strong security regulations (like Sarbanes and Oxley or PCI), where you need to keep track of the administrator's tasks and ensure that audit trails are not altered/cleared.

Existing rule Clearing Windows Event Logs does not detect the activity of clearing security logs in this two situations:

  • If the security logs are cleared from the Event Viewer GUI, either for a legal admin or not. This is because of the existing rule analyzes processes and command line arguments in the 4688 windows event and in the case of clearing from GUI no 4688 event is generated
  • If Include command line in process creation events is not enable in the local policy, command line arguments are not completed in the 4688 event, and therefore is not possible to know which action was made (cannot detect the arguments Clear-EventLog in a powershell's execution or cl in WevtUtil's execution)

When a security log is cleared using any method (powershell, wevutil or GUI) the windows event 1102 - The audit log was cleared is generated is always present
This rule is based on this event and ,in my opinion, can be a good complement to the existing rule Clearing Windows Event Logs

Contributor checklist

@janniten
Copy link
Contributor Author

Running the python - detection_rules test I've the following error

image

@brokensound77 brokensound77 added community OS: Windows windows related rules Rule: New Proposal for new rule labels Nov 12, 2020
@threat-punter
Copy link
Contributor

@Samirbous do you have an environment up and running to test this query? If not, I can spin up an environment to test it out before reviewing the PR.

@Samirbous
Copy link
Contributor

@threat-punter I don't have winlogbeat setup, but IIRC @randomuserid has one ?

@elastic elastic deleted a comment from randomuserid Dec 3, 2020
@threat-punter
Copy link
Contributor

@janniten do you have a screenshot of the query and matching event(s) in Kibana?

brokensound77
brokensound77 reviewed Dec 9, 2020
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. I left a few suggestions and comments

brokensound77 and others added 5 commits December 9, 2020 07:57
@brokensound77
Merge branch 'main' into windows-clear-security-log
68b1fad
@janniten @brokensound77
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
34b5b69 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@janniten @brokensound77
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
470eb52 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@janniten @brokensound77
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
d9bf610 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@janniten @brokensound77
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
be4d4a2 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@janniten
Copy link
Contributor Author

janniten commented Dec 9, 2020

@threat-punter , Here the screenshot and the detection in my environment

image

image

threat-punter
threat-punter suggested changes Dec 9, 2020
View reviewed changes
Copy link
Contributor

@threat-punter threat-punter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @janniten. The slightly modified query below will return results when the Security event logs or other event logs, such as Application, System, or Microsoft-Windows-PowerShell/Operational are cleared. Windows Event IDs: 104 and 1102

I've made some suggestions in your pull request to apply when you're ready.

image

janniten and others added 3 commits December 9, 2020 17:18
@janniten @threat-punter
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
c3e27bd 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
@janniten @threat-punter
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
721badc 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
@janniten @threat-punter
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
f1f8b92 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
@janniten @threat-punter
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
7336873 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
brokensound77 and others added 2 commits December 9, 2020 19:51
@brokensound77
Merge branch 'main' into windows-clear-security-log
eddb2e4
@threat-punter @brokensound77
Add Elastic tag
7370664 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@threat-punter threat-punter self-requested a review December 9, 2020 19:14
@threat-punter threat-punter removed their request for review December 19, 2020 13:55
@threat-punter threat-punter requested review from brokensound77, Samirbous and threat-punter and removed request for threat-punter January 4, 2021 18:10
@threat-punter threat-punter self-requested a review January 4, 2021 18:11
@threat-punter threat-punter requested review from threat-punter and bm11100 and removed request for bm11100 January 4, 2021 18:13
@threat-punter threat-punter requested review from threat-punter and removed request for threat-punter January 4, 2021 18:16
@brokensound77 brokensound77 added v7.12.0 7.12 rules release package and removed v7.11.0 labels Jan 6, 2021
bm11100
bm11100 reviewed Jan 11, 2021
View reviewed changes
threat-punter and others added 3 commits January 11, 2021 09:14
@threat-punter @bm11100
Add Elastic to list of authors
8df0879 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
@threat-punter @bm11100
bump updated_date
cfe60fd 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
@threat-punter
Merge branch 'main' into windows-clear-security-log
087fa79
@threat-punter threat-punter merged commit fb92c69 into elastic:main Jan 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@threat-punter threat-punter threat-punter approved these changes

@bm11100 bm11100 bm11100 approved these changes

@Samirbous Samirbous Samirbous approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

Assignees

@threat-punter threat-punter

Labels
community Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule v7.12.0 7.12 rules release package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Rule] Clearing Windows Event Logs
6 participants
@janniten @threat-punter @Samirbous @andrewkroh @brokensound77 @bm11100